house Bill H.R. 5576

Should the President Respond to Foreign States' Cyberattacks Under a Formal Process?

Argument in favor

State-sponsored cyberattacks are on the rise, and it’s important to fight them with every tool in the U.S. government’s arsenal. This includes broad sanctions and punishments for individuals and state actors involved in cyberattacks against the U.S. – and this bill is a necessary expansion of the president’s power to impose such consequences.

Argument opposed

The White House and executive branch agencies already have the authority to use all the sanctions and tools in this bill — and there’s no need for a more formalized structure to ensure action is taken.

1) We need to draft a piece of legislation that acknowledges cyber attacks are the equivalent of an actual attack on domestic soil. 2) we need to secure our cyber security systems and modernize to prevent any previous bugs 3) #45 is not trust worthy to be in charge of our security. He would keep face with our enemies to prop his own ego before willing to do what’s right for the American public’s safety.

What is House Bill H.R. 5576?

This bill — known as the Cyber Deterrence and Response Act of 2018 — would establish a strategy for the U.S. to respond to attacks by foreign state-sponsored hackers by giving the president the authority to identify, respond to, and deter cyber attackers.

The president, acting through the Secretary of State, would designate the following as critical cyber threats:

Foreign persons and foreign state agencies that the president deems to be responsible for or complicit in state-sponsored cyber activities that have threatened U.S. national security, foreign policy, economic health, or financial stability;

Foreign persons that the president has determined to have knowingly materially assisted or provided support for cyber attacks against the U.S. by a foreign person or foreign state agency;

Foreign state agencies that the president has determined to have materially assisted or supported cyber attacks against the U.S. by a foreign person or agency;

Foreign persons that the president has determined to have attempted to engage in or support cyber attacks against the U.S.; and

Foreign agencies that the president has determined to have attempted to engage in or support cyber attacks against the U.S.

This bill would also establish a comprehensive, uniform list of foreign hacking groups to give government agencies common terminology when discussing cyberthreats. This list would be published in the Federal Register, and would include input from various federal agencies.

The president would impose either travel-related or non-travel-related sanctions (or both) with respect on foreign persons and states designated as critical cyber threats. Non-travel related sanctions include:

Withdrawal or suspension of non-humanitarian U.S. development assistance or security assistance; U.S. opposition to international financial institutions’ loans to hostile foreign states; directing the Export-Import Bank, the Overseas Private Investment Corporation, or other U.S. agencies not to approve guarantees, insurance, credit, or extension of credit; import restrictions; and export restrictions.

Travel-related sanctions include: making foreign nationals designated as critical cyber threats inadmissible to the U.S., ineligible to receive a visa to enter the U.S., and otherwise ineligible to be admitted or paroled into the U.S.; and revoking vias or other entry documentation issued to foreign persons designated as critical cyber threats.

Foreign states could be subject to additional sanctions from the president, including: banning the export of items on the U.S. Munitions List to the governments of foreign states designed as critical cyber threats; prohibiting transactions in foreign exchange in which the governments of foreign states designated as critical cyber threats have an interest; and prohibit transfers or credit or payments between one or more financial institutions when those transactions are subject to U.S. jurisdiction and involve any interest of the government of the foreign state.

On a case-by-case basis, the president could waive the imposition of sanctions for a period of up to one year, and could then renew that waiver for additional periods of no more than one year. When waivers are granted, the appropriate Congressional committees would have to receive written determinations from the president attesting to the reason for the waiver.

The president may remove sanctions if the president determines the foreign person or foreign state subject to sanctions has verifiably ceased participation in cyber attacks against the U.S.

The president shall be required to periodically report to Congress about state-sponsored cyber activities against the U.S.

“Not all threats to our national security are kinetic. More and more, countries who wish to weaken the United States and disrupt our way of life are using keyboards and the internet. China, North Korea, Iran, Russia, and other malicious actors have developed sophisticated capabilities that can disrupt our networks, endanger our critical infrastructure, harm our economy, and undermine our elections. These cyber attacks must be stopped. My Cyber Deterrence and Response Act will shine a light on these countries and create a framework that not only deters but provides the proper response for their actions. It is vital that when these attacks happen, they are exposed, pulled out of the shadows, and punished accordingly.”

Writing in The Guardian in 2013, Adam Segal, the Maurice R. Greenberg Senior Fellow for China Studies at the Council on Foreign Relations, argued that cyberattacks are difficult to retaliate against due to the limited — and still-undefined — definitions of what constitutes an attack or legitimate target:

“There are still no mutually agreed upon terms of what types of cyber-attacks would be considered a use of force or what constitutes a legitimate target. A standoff could very easily escalate, producing unintended and disastrous outcomes, if both sides miscommunicate and misperceive red lines… [the U.S. and potential adversaries, such as China] should try and dispel the growing mistrust by explaining their national interests and intentions in cyberspace.”

“This new approach of investigation and attribution showed we can find out who’s doing these things, and that’s because Sony did the right thing and reported it to government... Two, we said it: That’s new. Take it out of the intelligence channels and be public about it, because that’s the only way to change the behavior of the people who are launching these attacks, but also the other countries who are watching them get away with it… The idea is that if you let someone walk across your lawn for long enough, they get the right to walk across your lawn. It’s called an easement, and that’s how international law works. We had a situation where attacking private companies was the day job for uniformed members of the second largest military in the world, and that case was a giant no-trespass sign: ‘Get off our lawn.’”

“[W]e still need to do a better job of actually imposing consequences on those countries that actually make a difference, and I think that requires a lot more strategic thought… I think we're creating a norm of inactivity, that these are acceptable [behaviors] because no one does anything about it."

This legislation passed the House Foreign Affairs Committee with unanimous support and currently has the support of 13 bipartisan cosponsors of this bill, including seven Democrats and six Republicans.

1) We need to draft a piece of legislation that acknowledges cyber attacks are the equivalent of an actual attack on domestic soil. 2) we need to secure our cyber security systems and modernize to prevent any previous bugs 3) #45 is not trust worthy to be in charge of our security. He would keep face with our enemies to prop his own ego before willing to do what’s right for the American public’s safety.

The White House and executive branch agencies already have the authority to use all the sanctions and tools in this bill — and there’s no need for a more formalized structure to ensure action is taken. I’m also against giving the executive more unilateral power.

What is a formal process? You mean calling the U.N.?? Hahahaha! The World Criminal Court? Hahahaha! No! You Cyber Attack right back! A lot of our government agencies invest a lot of money into the security of their systems against cyber attacks from foreign entities mostly foreign governments! The United States Air Force and Navy as well as CIA and NSA have small armies that do nothing but look at computer monitors and track stuff!! The big corporations are constantly under cyber attack from all over the world! The taxpayer however must not be held accountable for paying the tab of say there is a government agency helping to protect them except Defense Contractors!

Timely! In this instance, with current POTUS, and the known and recognized erratic behavior and doubtful reliability of his judgement in many diverse circumstances, No More Unilateral power must be encouraged to be practiced by this POTUS-unless. Indispensable oversight by Congress is asserted with their authorizing or denying his selected course of action.

The president can make recommendations on punishment for those countries who commit cyber attacks against the U.S but Congress should have the final authority. We need to quit taking power away from one branch and giving it to another. We have three separate branches for a reason with three separate duties and power.

I believe that our computer techs need to design programs that block these attacks. If we leave it to our Treasonous and obstruction of justice President, he will make a mess out of it, and cause more harm to the American people.